[PHP][C++] Root Exploiter (Part 2) – No Back-Connect

This post has the same goals as of the previous one i.e. to get root access on the target machine with just a PHP interface and no back-connect or reverse connection. So, if you haven’t already, read the part 1 of this post here [PHP][Python] Root Exploiter – No Back-Connect.

In the previous version of this article, I used subprocess, pipes, popen and pexpect in Python to interact with another exploit. This time, I’m going to show a rather simpler approach to interact with another program or executable without loosing the session (prompt) on the run time via simple PHP interface.

I’m going to use a binary executable coded in C++ to act as a handler to our exploit and also a persistent back-door to a privileged user (root) account. Here’s a detailed demo of the whole process.

Here’s the C++ code of the executable and it’s quite self explanatory.

This code can be compiled by using the g++ compiler or you can download the pre compiled executable from Here. This binary executable can be used directly via any PHP shell. For example, to run your local root exploit, you can simply do:

Shell

1

./makman--exploit="./Name_of_the_exploit_here"

If the exploit is successful, the file permissions of the handler makman will be changed to 4755 with root as the owner which means that the UID bit of this file is set. Now you can run your commands as a root user.

Shell

1

2

3

4

5

./makman--command="whoami"

#OR

./makman--command="cat /etc/shadow"

I have also coded a PHP interface to automate this whole process just like the previous version.